Scanning and remediating configuration settings of a device using a policy-driven approach

ABSTRACT

The present disclosure relates to systems, methods, and computer-readable media for implementing an efficient and flexible policy-driven approach to securing a computing device. For example, systems disclosed herein can enforce a first security policy of a first security standard. Systems disclosed herein can further audit for a first compliance level with the first security standard. Systems disclosed herein can further audit for a second compliance level with a second security standard. Systems disclosed herein can further determine an overlap between the first security standard and the second security standard, the overlap associated with a second security policy. Systems disclosed herein can further enforce the second security standard. Systems disclosed herein can further determine an update of the first compliance level based on the overlap.

RELATED APPLICATION

This patent arises from a continuation of U.S. patent application Ser.No. 16/125,543, (now U.S. Pat. No. 11,310,283) which was filed on Sep.7, 2018. U.S. patent application Ser. No. 16/125,543 is herebyincorporated herein by reference in its entirety. Priority to U.S.patent application Ser. No. 16/125,543 is hereby claimed.

BACKGROUND

Recent years have seen rapid development in software products andelectronic devices. For example, software products can affectfunctionality related to communication of data to and from electronicdevices as well as operation of operating systems and/or individualapplications installed on the electronic devices. As software andhardware become more complex, it becomes increasingly difficult toeffectively secure information contained on electronic devices as wellas information transmitted to and from electronic devices (e.g., overthe Internet). Indeed, in an attempt to gather information, manyindividuals use viruses, spyware, malware, and other threatening toolsto gather sensitive and/or valuable information.

While many tools exist for avoiding potential threats in cybersecurityof electronic devices, conventional cybersecurity systems often fail toadequately address potential security issues. For example, conventionalcybersecurity systems typically utilize dedicated diagnostic tools foridentifying whether a personal computer is compliant with a knownsecurity standard. Conventional diagnostic tools, however, are limitedto providing a report of settings or configurations on a device that areout of compliance with a known set of standards. The report is thengenerally provided to an information technology (IT) administrator whomanually addresses issues identified by the report or, alternatively,utilizes a separate software tool to facilitate remediation of variousissues identified by the diagnostic tool.

In addition to failing to enable effective diagnosis and remediation ofpotential security issues, conventional cybersecurity systems can beinflexible and computationally prohibitive. For example, conventionalcybersecurity systems are often limited to scanning a device forcompliance with a specific security standard (e.g., Center for InternetSecurity (CIS) standards, Standard Technical Implementation Guide (STIG)standards, Payment Card Industry (PCI) standards, and Health InsurancePortability and Accountability Act (HIPAA)). As a result, conventionalsystems may provide an effective tool for identifying potential securitythreats for a select group of devices or programs uniquely tailored to aparticular security standard. However, conventional cybersecuritysystems may fail to effectively identify potential security threats forother devices or programs not specifically tailored to the securitystandard. Furthermore, while a device may simply run different securitychecks based on multiple security standards, running comprehensivechecks based on multiple standards can be expensive and can utilizesignificant computing resources.

These along with additional problems and issues exist with regard toconventional cybersecurity systems.

BRIEF SUMMARY

Embodiments of the present disclosure provide benefits and/or solve oneor more of the foregoing and other problems in the art with systems,methods and computer-readable media that enforce security policies on aclient device (or other computing device). In particular, in one or moreembodiments, the disclosed systems enforce security policies byperforming operations that enable an agent on the client device to bothscan and fix security issues. For example, the disclosed systems canenforce a security policy by performing an idempotent operation in whicha check and a fix of a security policy are the same operation (e.g., acheck operation is the fix operation). In this way, the systemsdescribed herein can effectively identify and remediate configurationsettings of a client device out of compliance with security standardsusing a single software agent.

In addition, in one or more embodiments the disclosed systems provide apolicy-driven approach to enforcing security policies applicable to awider range of client devices and applications. Indeed, by providing apolicy-driven approach to enforcing security policies, the disclosedsystems can enable a client device to comply with multiple securitystandards while performing a fewer number of operations thanconventional systems, thereby improving performance of the client devicewithout sacrificing substantial processing resources. In addition, byenforcing security policies using a policy-driven approach, thedisclosed systems provide more effective security across a wider rangeof client devices and applications for which different securitystandards may be better suited to address potential security issues.

Additional features and advantages of one or more embodiments of thepresent disclosure are outlined in the description which follows, and inpart will be obvious from the description, or may be learned by thepractice of such example embodiments.

BRIEF DESCRIPTION OF THE DRAWINGS

The detailed description provides one or more embodiments withadditional specificity and detail through the use of the accompanyingdrawings, as briefly described below.

FIG. 1 illustrates an example environment in which a configurationmanagement system and associated configuration management agents canoperate in accordance with one or more embodiments;

FIG. 2 illustrates a schematic diagram of implementing policy-drivenenforcement of configuration settings on a computing device inaccordance with one or more embodiments;

FIG. 3 illustrates an example mapping record including a mapping betweensecurity policies and security standards in accordance with one or moreembodiments;

FIG. 4 illustrates an example computing device including a graphicaluser interface for providing a report including information aboutenforcing security policies in accordance with one or more embodiments;

FIG. 5 illustrates an example architecture of a configuration managementagent implemented on a computing device in accordance with one or moreembodiments;

FIG. 6 illustrates a flowchart of an example series of acts forenforcing a plurality of security policies on a client device inaccordance with one or more embodiments;

FIG. 7 illustrates a flowchart of an example series of acts forimplementing a policy-driven approach to enforcing security policiesbased on an identified security standard in accordance with one or moreembodiments;

FIG. 8 illustrates a block diagram of a computing device in accordancewith one or more embodiments; and

FIG. 9 illustrates a networking environment including a configurationmanagement system in accordance with one or more embodiments.

DETAILED DESCRIPTION

One or more embodiments of the present disclosure include aconfiguration management system and configuration management agents thatfacilitate effective and flexible enforcement of security policies on aclient device (or other computing device). For example, in one or moreembodiments, a configuration management agent (or simply “agent”) canidentify a plurality of security policies including configuration statesassociated with configuration settings of the client device. Uponreceiving a request to implement the security policies on the clientdevice, the agent can perform operations to enforce the configurationstates defined by the security policies. In particular, the agent canenforce the configuration states defined by the security policies bychecking and fixing a configuration setting associated with theconfiguration state. Indeed, the agent can enforce security policies byperforming idempotent operations in which a check and a fix of aconfiguration setting are the same operation (e.g., a check of theconfiguration setting is also the fix for the configuration setting).

In addition to generally enforcing configuration states defined bysecurity policies, the configuration management system can additionallyimplement a policy-driven approach to enforcing security policies on aclient device. Indeed, the configuration management system can enforcesecurity policies that enable a client device to operate in accordancewith a number of security standards. In one or more embodiments, theconfiguration management system maintains a plurality of securitypolicies including configuration states associated with configurationsettings on a client device in addition to mapping informationassociating the security policies with one or more security standards.In one or more embodiments, the configuration management system receivesa request to enforce a first security standard. Based on the request,the configuration management system can identify a subset of securitypolicies having mapping information associated with the first securitystandard and provide the subset of security policies to the clientdevice for enforcement (e.g., by the agent on the client device). In oneor more embodiments, enforcing the security standard involves performingan operation (e.g., an idempotent operation) of enforcing configurationstates defined by the subset of security policies, thereby causing theclient device to operate in accordance with the identified securitystandard.

As will be described in further detail below, the configurationmanagement system and configuration management agent(s) provide a numberof advantages over configuration cybersecurity systems. For example, byenforcing security policies using idempotent operations, theconfiguration management system can facilitate both diagnosing andremediating security issues using a single software package or agentimplemented on a client device. Moreover, the configuration managementsystem and/or agent on the client device can perform an operation (e.g.,a single operation) of both identifying and remediating a security issuein response to a single user input. Accordingly, features andfunctionality described herein significantly reduce processing overheadas well as time spent by an administrative user in identifying andremediating security issues on a computing system.

In addition to more efficiently enforcing security policies,implementing a policy-driven approach to enforcing security policiesprovides significant flexibility over existing approaches tocybersecurity. For example, rather than implementing a wholesale andinflexible approach to security standards in accordance with a setsecurity standard, the configuration management system can implement apolicy-driven approach in which any number of policies can be selectedand enforced on a client device including more or fewer securitypolicies than those explicitly tied to a corresponding securitystandard.

Indeed, the configuration management system provides additionalflexibility where many security standards include checks that uniquelyapply to a specific type of client device or a common combination ofapplications running on a client device. For instance, rather thanenforcing a fixed set of checks applicable to a specific securitystandard, the configuration management system can identify a set ofpolicies more unique to a particular client device or set ofapplications running on the client device.

In addition, in contrast to conventional cybersecurity systems, theconfiguration management system can facilitate compliance with multiplestandards without performing redundant operations on a computing system.For example, where a conventional security system would run a series ofchecks for each individual security standard, the configurationmanagement system can maintain mapping information between securitypolicies and security standards to use in determining a set of securitypolicies that facilitate compliance across multiple security standardswithout performing redundant operations for security policies thatdifferent standards have in common. Indeed, by reducing a number ofredundant operations as a result of repeatedly checking and fixingconfiguration settings multiple times (e.g., to comply with similar oridentical requirements across different standards), the configurationmanagement system can significantly reduce consumption of processingresources, which improves upon the functionality of a client device.

As illustrated by the foregoing discussion, the present disclosureutilizes a variety of terms to describe features and advantages of anenvironment including the configuration management system andconfiguration management agent(s). Additional detail is now providedregarding the meaning of many of these terms.

For instance, as used herein, a “configuration setting” refers to asetting of a device or application that affects operation of the device.In one or more embodiments described herein, a configuration settingrefers to a changeable setting of an application, operating system, orfunctionality of a device. Examples of configuration settings includedevice or application permissions, functionality, user-access controls,or other setting that affects operation of a client device or network.Indeed, in some cases, a configuration setting can refer to whether anapplication is open or running, and how an application or operatingsystem interfaces with a network. Further, a configuration setting canrefer to a set of multiple functionalities that are added to or removedfrom an operating system or application in accordance with a state ofthe configuration setting. Moreover, in one or more embodimentsdescribed herein, a configuration setting specifically refers to asetting related to an intended functionality of a device or softwarerather than a bug or unintended functionality of the device or software.Thus, where a software patch or update is performed to repair one ormore unintended functionalities of an application, this would notnecessarily change a configuration setting in accordance with one ormore embodiments described herein.

As used herein, a “security policy” refers to a data object including adefined state (e.g., a configuration state) of a configuration settingin compliance with one or more security standards. In one or moreembodiments described herein, a security policy includes a definedconfiguration state and mapping information associating the definedconfiguration state with one or more applicable security standards. Asused herein, a “configuration state” includes an indication of aconfiguration setting that would place a device or application incompliance with a corresponding security standard. Accordingly, in oneor more embodiments described herein, a security policy includes aconfiguration state and associated mapping information where maintaininga configuration setting at the configuration state would place theconfiguration setting in compliance with one or more security standardsas indicated by the mapping information included within the securitypolicy.

As used herein, a “security standard” refers to tools, policies,concepts, safeguards, guidelines, actions, and other techniques or itemsrelated to protecting the cyber environment of a user or organization.In one or more embodiments, a security standard refers to a list ofchecks a device (e.g., a server device, client device) can perform toensure that configuration settings on a device are in compliance withtools, policies, concepts, and other techniques defined by a particularsecurity standard. In one or more embodiments described herein, asecurity standard includes policies including settings, checks, or otherinformation associated with a specific security standard. By way ofexample and not by limitation, security standards may include publishedstandards including Center for Internet Security (CIS) standards,Standard Technical Implementation Guide (STIG) standards, Payment CardIndustry (PCI) standards, International Organization for Standards (ISO)8000 standards, and Health Insurance Portability and Accountability Act(HIPAA) standards.

As mentioned above, and as will be described in further detail herein, aconfiguration management system and/or configuration management agentscan perform an operation of enforcing a security policy on a computingdevice. As used herein, performing an operation of enforcing a securitypolicy involves an action of setting, maintaining, or otherwise causinga configuration setting to comply with a configuration state defined bythe security policy. In one or more embodiments described herein,performing an operation of enforcing a security policy involvesperforming an idempotent operation in which a check and a fix of aconfiguration setting refer to the same operation performed by acomputing device. Accordingly, a client device can perform an idempotentoperation of enforcing a security policy any number of times withoutchanging a resulting configuration setting after the initial performanceof the idempotent enforcement operation.

Additional detail will now be provided regarding an environmentincluding the configuration management system and configurationmanagement agents in relation to illustrative figures of exampleembodiments. For example, FIG. 1 illustrates an example environment 100for implementing a policy-driven enforcement of security policies inaccordance with one or more embodiments. As shown in FIG. 1, theenvironment 100 includes a server device(s) 102 including aconfiguration management system 104. The environment 100 furtherincludes client devices 106 a-c including configuration managementagents 108 a-c thereon. The environment 100 further includes athird-party server device(s) 112 including security standards 114.

As shown in FIG. 1, the server device(s) 102, client devices 106 a-c,and third-party server device(s) 112 can communicate with each otherdirectly or indirectly over a network 110. The network 110 may includeone or multiple networks and may use one or more communication platformsor technologies suitable for transmitting data. In one or moreembodiments, the network 110 includes the Internet or World Wide Web. Inaddition, or as an alternative, the network 110 can include other typesof communication networks as described below (e.g., in relation to FIG.9).

As mentioned above, and as shown in FIG. 1, the environment 100 includesthe client devices 106 a-c. The client devices 106 a-c may refer tovarious types of computing devices. For example, one or more of thedevices may include a mobile device such as a mobile telephone, asmartphone, a personal digital assistant (PDA), a tablet, or a laptop.Additionally, or alternatively, one or more of the devices may include anon-mobile device such as a desktop computer. In addition, while each ofthe client devices 106 a-c may refer to similar types of computingdevices, the environment 100 can include different types of clientdevices in communication with the server device(s) 102 and/orthird-party server device(s) 112.

Also mentioned above, and as shown in FIG. 1, the environment includesthe server device(s) 102 and the third-party server device(s) 112. Theserver device(s) 102 and the third-party server device(s) 112 cangenerate, store, receive, and/or transmit any type of data, includingsecurity policies, security standards, and other related information. Inone or more embodiments, the server device(s) 102 and the third-partyserver device(s) 112 may include data servers. The server device(s) 102and the third-party server device(s) 112 may also include communicationservers or web-hosting servers. In one or more embodiments, the serverdevice(s) 102, 112 refers to a computing device and/or server devicethat provides administrative or IT service to the client devices 106a-c. Additional detail regarding client devices and server devices isprovided below (e.g., in relation to FIGS. 8-9).

As shown in FIG. 1, the configuration management system 104 can generateor maintain security policies on the server device(s) 102. In one ormore embodiments, the configuration management system 104 generates ormaintains security policies based on security standards 114 on one ormore third-party server device(s) 112. For example, the configurationmanagement system 104 can generate security policies that defineconfiguration states of a client device that comply with various checksor policies from a security standard 114 on a third-party server device112 (e.g. published guidelines from a web server). In one or moreembodiments, the configuration management system 104 obtains multiplesecurity standards 114 from different server devices. For example, theconfiguration management system 104 can access information from a firstsecurity standard (e.g., CIS Standard) from a first third-party serverwhile accessing information from a second security standard (e.g., STIGstandard) from a second third-party server.

Once generated, the configuration management system 104 can provide thesecurity policies to configuration management agents 108 a-c (or simply“agents 108 a-c”) on respective client devices 106 a-c. In one or moreembodiments, the agents 108 a-c include software agents associated withthe configuration management system 104 installed on the respectiveclient devices 106 a-c. In addition, in one or more embodiments, theagents 108 a-c may include similar or unique features and functionalitybased on the corresponding client device 106 a-c. For example, a firstagent 108 a installed on a first client device 106 a may includefeatures and functionality unique to a first type of client device(e.g., a desktop computer) while a second agent 108 b installed on asecond client device 106 b may include features and functionality uniqueto a second type of client device (e.g., a mobile device).

In one or more embodiments, the agents 108 a-c are controlled by amaster application (e.g., the configuration management system 104)running on an administrative system (e.g., an administrative device orserver). Accordingly, in one or more embodiments, the agents 108 a-c areresponsible for executing commands sent by the configuration managementsystem 104, report on the success of various jobs, and provide dataabout the management of the client devices 106 a-c.

Upon receiving the security policies from the configuration managementsystem 104, the agents 108 a-c can enforce the security policies on theindividual devices. For example, the agents 108 a-c can enforce thesecurity policies by performing operations to enforce configurationstates defined by the security policies for configuration settings ofthe client devices 108 a-c. In one or more embodiments, performing anenforcement operation includes performing an idempotent operation thatmodifies, maintains, or otherwise enforces a configuration setting tocomply with a configuration state defined by a security policy. Inaddition, where the enforcement operation includes an idempotentoperation, a scan and a fix of a configuration setting to comply withthe security policy involve the same operation. Accordingly, the agents108 a-c can both scan and fix configuration settings by performing asingle idempotent operation.

Moreover, as will be described in further detail below, theconfiguration management system 104 can further facilitate compliance ofthe client devices 106 a-c with multiple security standards. Forexample, in providing the security policies to the client devices 106a-c, the configuration management system 104 can provide mappinginformation that associates configuration states defined by the securitypolicies to one or multiple security standards. Indeed, where securitystandards often include similar guidelines for certain applications ordevices, the configuration management system 104 can provide mappinginformation to enable the agents 108 a-c to more efficiently enforcepolicies across multiple security standards without performing duplicateenforcement operations.

Although FIG. 1 illustrates a particular number and arrangement ofclient devices 106 a-c, it will be understood that the environment 100can include any number of devices, including any number of serverdevices, third-party server devices, or client devices. Moreover, one ormore of the client devices 106 a-c may directly communicate with theserver device(s) 102 and/or the third-party server device(s) 112 or viaan alternative network, bypass the network 110. For example, in one ormore embodiments, rather than receiving security standard data from theserver device(s), one or more of the client devices 106 a-c may accesssecurity standard data directly from the third-party server device(s)112 directly or via an alternative network.

As mentioned above, the configuration management system 104 and agents108 a-c can cooperatively enforce security policies on the clientdevices 106 a-c. For instance, FIG. 2 illustrates an example in which aclient device (e.g., client device 106) having a configurationmanagement agent (e.g., agent 108) thereon enforces a set of securitypolicies provided by a configuration management system 104 on a serverdevice(s) 102. For ease in explanation, client device 106 may refer toany of the client devices 106 a-c described above in FIG. 1 while agent108 may refer to any of the configuration management agents 108 a-cimplemented on the respective client devices 106 a-c.

In particular, FIG. 2 illustrates an example series of acts 200 forenforcing any number of security policies on a client device 106. Asshown in FIG. 2, the agent 108 may perform an act 202 of receiving arequest to enforce a set of security policies. In one or moreembodiments, the agent 108 receives a request to enforce a securitystandard including a set of configurations or policies to enforce on theclient device 106. As an alternative, the agent 108 can receive arequest to enforce a pre-selected set of security policies unique to orpreviously applied to the client device 106. In one or more embodiments,the agent 108 receives a request to enforce a select group of policies(e.g., a set of manually selected policies) that make up a subset of aparticular standard or other smaller set of security policies toselectively enforce in response to a user command.

The request to enforce the set of security policies may refer to a userrequest or manual request to enforce the set of security policies. Forexample, the agent 108 may provide a selectable option (e.g., via agraphical user interface of the client device 106) that enables a userof the client device 106 to explicitly request enforcement of a set ofsecurity policies. Alternatively, the agent 108 may receive the requestbased on a periodic enforcement process. As an example, the agent 108may periodically identify a set of security policies for enforcementbased on a setting or protocol to establish secure configurationsettings on the client device 106 at a predetermined frequency (e.g.,every hour, every day). Alternatively, in one or more embodiments, theagent 108 dynamically identifies modifications to various configurationsettings and receives or otherwise generates the request to enforce aset of security policies in response to detecting modifications to oneor more configuration settings on the client device 106.

In one or more embodiments, the agent 108 receives or identifies a setof security policies based on a type of client device 106 and/or basedon applications running or installed on the client device 106. Forexample, as an alternative to implementing a wholesale approach toenforcing security policies, the agent 108 can identify a select set ofsecurity policies unique to the client device 106 including securitypolicies specific to settings that are common to the client device 106.In addition, the agent 108 can identify security policies based onidentified applications on the client device 106.

As an illustrative example, where a client device 106 includes intendedfunctionality that enables the client device 106 to connect wirelesslyvia a Bluetooth connection to other nearby electronic devices, the agent108 may identify one or more security policies that relate to enforcingsecure Bluetooth pairing configurations. Alternatively, where a clientdevice 106 lacks specifications or functionality related to connectingwirelessly via a Bluetooth connection to nearby client devices, theagent 108 may omit one or more security policies related to enforcingsecure Bluetooth pairing configurations. By selectively identifying aset of security policies based on specifications of the client device106 and/or based on applications installed or running on the clientdevice 106, the agent 108 can more efficiently enforce secureconfiguration settings on the client device 106 in accordance withrelevant security policies.

As further shown, the agent 108 may perform an act 204 of identifying anext security policy for the client device 106. In initiatingenforcement of the set of security policies, identifying the nextsecurity policy may simply involve identifying a first security policyfrom a set of security policies (e.g., as received from theconfiguration management system 104). Accordingly, as will be describedin further detail below, the agent 108 can iteratively enforce securitypolicies from a set of security policies identified by the agent 108and/or configuration management system 104.

Upon identifying a security policy for enforcement, the agent 108 canperform an act 206 of determining whether an exemption applies to asecurity policy. For instance, in one or more embodiments, the agent 108determines whether an exemption applies for a particular configurationsetting and/or a policy that includes a configuration state associatedwith the configuration setting. For instance, certain corporate policiesmay permit knowing violations of one or more security policies whilestill maintaining compliance with one or more standards. As such, theagent 108 can determine whether a given policy is exempt fromenforcement on a corresponding client device 106.

Where the agent 108 determines that an exemption applies to the securitypolicy, the agent 108 can bypass enforcing the security policy on theclient device 106 and select a new policy for enforcement.Alternatively, as shown in FIG. 2, where the agent 108 determines thatan exemption does not apply, the agent 108 can proceed to perform an act208 of enforcing the security policy on the client device 106. Asmentioned above, the agent 108 can perform an operation of enforcing thesecurity policy by causing a configuration setting to comply with aconfiguration state defined by the security policy. In one or moreembodiments, the act 208 of performing the security policy involvesperforming an idempotent operation in which a check and a fix of aconfiguration setting to comply with a configuration state refer to thesame operation.

As shown in FIG. 2, the act 208 of enforcing the security policyinvolves an act 210 of determining whether a current configurationsetting complies with the configuration state defined by the securitypolicy and further performing an act that remediates or otherwiseenforces the configuration setting to comply with the indicatedconfiguration state. In particular, as shown in FIG. 2, where theconfiguration setting complies with the configuration state defined bythe security policy (e.g., where a current configuration setting isalready the same as the configuration state), the agent 108 can performan act 212 of maintaining a current configuration for the configurationsetting associated with the configuration state. Alternatively, wherethe current configuration setting does not comply with the configurationstate defined by the configuration policy (e.g., where a currentconfiguration setting is not the same as the configuration state), theagent 108 can perform an act 214 of modifying the configuration state.For example, the agent can enforce the configuration state by changingthe configuration setting to match or otherwise comply with theconfiguration state defined by the security policy.

As mentioned above, while the agent 108 may either maintain or modify acurrent configuration setting to match a configuration state defined bya security policy, in one or more embodiments, the agent 108 maintains acurrent configuration setting where the configuration setting complieswith the corresponding configuration state, but does not necessarilymatch the configuration state defined by the security policy. Forinstance, while a configuration state may indicate a specificconfiguration setting, the configuration state may further indicate oneor more configuration settings that are more secure or otherwise incompliance with a security standard. Accordingly, where a currentconfiguration setting is more secure or otherwise in compliance with aconfiguration state, the agent 108 may maintain the currentconfiguration setting even where the configuration setting andconfiguration state are not exactly the same.

As indicated above, the act 208 of enforcing the security policy mayinvolve an idempotent operation in which the act 210 of determiningwhether the current configuration setting complies with theconfiguration state as well as the acts 212-214 of either maintainingthe current configuration setting or modifying the configuration stateinvolve performing the same operation by the client device 106. Forexample, on an initial instance of enforcing the configuration settingto comply with a security policy, the agent 108 may perform anidempotent operation that involves modifying the configuration settingto comply with the configuration state defined by the security policy.Because the enforcement operation involves an idempotent operation,unless the configuration setting changes after the initial enforcement,subsequent operations of enforcing the security policy will have noeffect on the configuration setting because the check as well as the fixfor the configuration setting are one and the same operation.

After enforcing the security policy, the agent 108 can additionallyperform an act 216 of determining whether the security policy is thelast policy from the set of security policies. As shown in FIG. 2, wherethe security policy is not the final security policy from the set ofsecurity policies, the agent 108 proceeds to perform the act 204 ofidentifying a next security policy. Alternatively, where the securitypolicy is the final security policy from the set of security policies,the agent 108 performs an act 218 of generating a security report.

In particular, the agent 108 can generate a security report includinginformation about enforcing the set of security policies. In one or moreembodiments, generating the security report includes providing an auditreport including an indication of any number of configuration settingsthat were modified as a result of enforcing the set of securitypolicies. Alternatively, the agent 108 may generate a security reportincluding an indication of any number of configuration settings as wellas an indication of whether or not the configuration settings weremodified or maintained. In one or more embodiments, a security reportcan include an indication of one or more exemptions that may apply tothe configuration settings as well as an indication as to whether theconfiguration setting is in compliance with one or more securitypolicies (regardless of whether it was enforced by the agent 108).

In addition to generating a security report including information aboutenforcing the set of security policies, the agent 108 can additionallyprovide one or more additional options related to securing the clientdevice 106. For example, the agent 108 can generate and provide one ormore selectable options that enable a user of the client device 106 toenforce one or more additional security policies (e.g., from differentsecurity standards), to override one or more exemptions that bypassedone or more security policies, or perform one or more other actions bythe client device. Additional detail will be discussed by way of examplein connection with FIG. 5 below.

While FIG. 2 illustrates an example in which an agent 108 receives arequest to enforce a select set of security policies, in one or moreembodiments, the agent 108 implements a more dynamic approach toidentifying and enforcing security policies. For example, in an effortto avoid overutilizing bandwidth overhead, the agent 108 can maintain anactive connection with the configuration management system 104. Forinstance, rather than periodically polling a cloud server like manyconventional scanning application, the agent 108 can use asynchronousalgorithms that minimize network overhead by maintaining an activeconnection. Indeed, by maintaining an active connection, the agent 108can avoid transmission of large data files every few minutes as requiredby many polling mechanisms and which can quickly become outdated.

For instance, where a configuration setting often changes, a pollingmechanism may fail to accurately identify a current state of aconfiguration setting that periodically falls out of compliance with asecurity standard. In contrast, the agent 108 maintains an activeconnection with a cloud server that can be called on at any time (e.g.,by providing a request to secure a client device), which enables theagent 108 to immediately enforce current states of configurationsettings to comply with security policies. In this way, rather thanperiodically transmitting large blocks of data (e.g., 1-20 MB datablocks) at set intervals, the agent 108 can simply send an indication ofa request for enforcement. By implementing an active agent in this way,the agent 108 can enforce security policies using small, targetedcommunications (e.g., 1-20 kB downloads) rather than larger, redundantcommunications (e.g., 1-20 MB downloads).

As mentioned above, the agent 108 implements a policy-driven approach tosecuring a client device from potential security threats. For example,the agent 108 can identify any number of security policies to enforce ona client device 106. The agent 108 can identify single policies forenforcement, a set of manually selected policies, or policies that areunique to the client device 106. In addition, or as an alternative, theagent 108 can identify a set of security policies that correspond to asecurity standard. In particular, the agent 108 can identify a set ofpolicies that satisfy a security standard or, alternatively a set ofpolicies that satisfies multiple security standards.

As indicated above, the security policies may include configurationstates as well as mapping information that associates the configurationstates defined by the security policies with corresponding securitystandards. In one or more embodiments, the agent 108 identifies theconfiguration states and mapping information from a record of policydata including the security policies and associated data. FIG. 3illustrates an example standard mapping record 302 in accordance withone or more embodiments which includes policy data that an agent 108 mayuse in identifying a set of security policies to enforce on a clientdevice 106.

As illustrated in FIG. 3, the standard mapping record 302 includes anynumber of policies grouped according to security standards. Inparticular, the standard mapping record 302 includes data for a firststandard 304 (i.e., a first security standard) including policies A-Erepresentative of a set of configuration states that would place aclient device 106 in compliance with the first standard 304. Thestandard mapping record 302 further includes data for a second standard306 including policies A-C and F-H. As shown in FIG. 3, the standardmapping record 302 includes data for a third standard 308 includingpolicies C-D, F-G, and I-J.

While FIG. 3 illustrates three generic standards 304-308 including anarbitrary number of security policies, the mapping record may includeany number of security policies corresponding to any number of securitystandards. As an example, the standard mapping record 302 may includepolicies from a CIS standard, STIG standard, HIPAA standard, or othersecurity standard(s) that include hundreds or thousands of checks todetermine compliance with a particular standard.

As shown in FIG. 3, each of the security policies include aconfiguration state and corresponding mapping information. For example,policy A includes a configuration state 314 and mapping informationindicating that a configuration setting in compliance with theconfiguration state 314 would place that configuration setting incompliance with both the first standard 304 and the second standard 306.Each of the additional policies (e.g., policies B-J) include similarinformation (e.g., a configuration state and mapping information).

In addition, while each of the illustrated policies include a singleconfiguration state, the individual policies may include one or multipleconfiguration states in compliance with a corresponding securitystandard. As an example, where multiple configuration states may besecure in accordance with a security standard, the agent 108 may avoidperforming one or more redundant enforcement operations with respect toa security policy by maintaining a configuration state for one or moreconfiguration settings that match or otherwise comply with any of theassociated configuration states defined by the security policy.

As shown in FIG. 3 and as indicated by the mapping information of therespective security policies, one or more of the security standards304-308 include some or all of the same policies as other standardswithin the standard mapping record 302. For example, the mappinginformation 312 of policy A indicates that enforcing the configurationstate 314 places a configuration setting associated with theconfiguration state 314 in compliance with both the first securitystandard 304 and the second security standard 306.

As a result of the overlap in the mapping information, the agent 108 canmore efficiently facilitate compliance of a client device acrossmultiple security standards. Moreover, even where enforcing compliancewith a single security standard (e.g., first standard 304), the agent108 can determine a level of compliance with one or more additionalsecurity standards based on which policies from the first securitystandard also apply to other security standards within the standardmapping record 302.

For instance, by enforcing the security policies from the first securitystandard 304, the agent 108 can determine that at least 50% of theconfiguration settings of a client device 106 already comply withconfiguration states defined by policies from the second securitystandard 306 without scanning or otherwise enforcing any of the securitypolicies of the second security standard 306. Accordingly, subsequent toenforcing the first security standard 304 and in response to receiving arequest to additionally enforce the second security standard 306, theagent 108 can forego performing any operations for enforcing policiesA-C, and enforce all the policies of the second security standard 306 byselectively enforcing policies F-H (e.g., without performing additionaloperations with regard to policies A-C).

As mentioned above, the agent 108 can generate and provide a securityreport (e.g., an audit report) based on any actions performed in causinga client device to comply with one or more security standards. FIG. 4illustrates an example in which a configuration management agent (orsimply “agent”) on a client device 402 provides an audit reportincluding information associated with enforcing security policies from asecurity standard. As shown in FIG. 4, the client device 402 includes agraphical user interface 404 on which an agent thereon generates andprovides an audit report 406 including information associated withenforcing the policies corresponding to a security standard.

In the example shown in FIG. 4, upon enforcing a set of securitypolicies corresponding to a CIS security standard, the agent generatesand presents an audit report including a CIS standard report showingresults of enforcing security policies for the CIS security standard inaccordance with one or more embodiments described herein. As shown inFIG. 4, the audit report 406 includes a listing of enforcement actions408 in which one or more configuration settings were modified or exempt.For example, where enforcing a security policy includes a configurationstate indicating that a Telnet application should be off results in aTelnet application on the client device 402 being turned off from an onstatus, the audit report 406 includes an indication of the change instatus of the configuration setting as a result of performing theenforcement operation.

As another example, the audit report 406 may include an indication ofone or more security policies for which one or more exemptions apply forthe client device 402. For instance, where an agent bypasses performingan enforcement operation for a configuration setting, the audit reportmay similarly include one or more indications that the configurationsettings are exempt from complying with one or more correspondingsecurity policies. As shown in FIG. 4, the client device 402 has anexemption with regard to using a universal serial bus (USB) device wherethe CIS standard generally prohibits USB access. Accordingly, the agentmay include an indication of the USB access restriction exemption, asindicated in FIG. 4.

As further shown in FIG. 4, the agent may include an indication of alevel of compliance with one or more security standards. For example, asa result of enforcing (e.g., scanning and remediating) security policiesfor the CIS standard, the agent may determine a level of compliance withone or more additional security standards (e.g., a STIG securitystandard and a HIPAA security standard). In particular, based on mappinginformation associating security policies from a set of securitypolicies corresponding to the CIS standard, the agent may determinethat, without performing any additional enforcement operations, theclient device 402 is already 80% STIG compliant and 60% HIPAA compliant,as indicated on the graphical user interface 404 of the client device402. Accordingly, the agent provides a first compliance indicator 410 afor the STIG security standard as well as a second compliance indicator410 b for the HIPAA security standard.

In one or more embodiments, the agent additionally provides one or moreselectable options for placing the client device 402 in compliance withone or more additional security standards. For example, as shown in FIG.4, the agent can provide a first selectable option 412 a for enforcingsecurity policies to place the client device 402 in compliance with aSTIG security standard. The agent can additionally provide a secondselectable option 412 b for enforcing security policies to place theclient device 402 in compliance with a HIPAA security standard.

Because the client device 402 is already partially in compliance withthe other security standards (e.g., STIG and HIPAA), in response todetecting a selection of the selectable options (e.g., a user selectionof a graphical icon), the agent may bring the client device 402 incompliance with a corresponding security standard by enforcing onlythose security policies that are not applicable to the alreadycompliance security standard. For example, in response to detecting aselection of the first selectable option to enforce the STIG securitystandard, an agent on the client device 402 may bypass performing anyoperations on the 80% of the security policies already enforced andselectively enforce the remaining 20% of security policies associatedwith the STIG security policy. In this way, the client device 402 avoidsperforming redundant operations in bringing the configuration settingsof the client device 402 in compliance with the STIG security standard.

Moreover, upon enforcing both the security policies for the CIS securitystandard and additional security policies for the STIG securitystandard, the agent may provide an updated audit report as well as anupdated measure of compliance of one or more additional securitystandards. For example, where enforcing security policies to bringconfiguration settings of the client device 402 in compliance with boththe CIS security standard and the STIG security standard brings theclient device 90% in compliance with a HIPAA security standard (e.g., asa result of security policies in common between the STIG standard andthe HIPAA standard), the agent can provide an indication of the 90%compliance via the graphical user interface 404 similar to the exampleshown in FIG. 4. In addition, a user can subsequently select anotherselectable option to enforce any remaining security policies of theHIPAA security standard not previously enforced in complying with theCIS and STIG standards.

Turning now to FIG. 5, additional detail will now be provided regardingcomponents and capabilities of an example architecture for aconfiguration management agent 108 on a computing device 502 inaccordance with one or more embodiments described herein. As mentionedabove, the configuration management agent 108 may be implemented inwhole or in part on a client device, which may be one embodiment of thecomputing device 502 shown in FIG. 5. Alternatively, one or morecomponents of the configuration management agent 108 may be implementedin whole or in part on a server device(s) 102 (e.g., as part of aconfiguration management system 104), as discussed above in theenvironment shown in FIG. 1.

As shown in FIG. 5, the configuration management agent 108 includes apolicy enforcement manager 504 for performing one or more actionsrelated to enforcing security policies. For example, in accordance withone or more embodiments described above, the policy enforcement manager504 may identify any number of policies for enforcement on the computingdevice 502 for placing configuration settings of the computing device502 in compliance with a set of security policies. In one or moreembodiments, the set of security policies refers to a set of securitypolicies corresponding to a security standard. The set of securitypolicies may include additional or fewer policies in accordance with oneor more embodiments.

As shown in FIG. 5, the policy enforcement manager 504 includes anexemption manager 506. In one or more embodiments, the exemption manager506 identifies whether an exemption applies to a security policy orconfiguration setting associated with a security policy. For example,where a user of the computing device 502 is an administrator of a systemor network of client devices, the exemption manager 506 may provide ahigher level of access to one or more configuration settings byexempting the computing device 502 from enforcement of one or moresecurity policies. Indeed, where the exemption manager 506 identifies anapplicable exemption, the configuration management agent 108 may simplybypass enforcement of a security policy while still maintainingcompliance with an associated security standard.

As illustrated in FIG. 5, the policy enforcement manager 504 furtherincludes a redundancy manager 508. In one or more embodiments, theredundancy manager 508 reduces redundancy of enforcing security policiesby checking whether one or more security policies have previously beenenforced in causing the computing device to comply with one or moresecurity standards. For example, where the configuration managementagent 108 has received a request to enforce two sets of securitypolicies that place the computing device 502 in compliance with twodifferent security standards that have significant overlap in securitypolicies, the redundancy manager 508 can access mapping information orotherwise identify which security policies have been enforced inperforming enforcement operations for a first security standard andavoid performing redundant enforcement operations in enforcing thesecond security standard. Accordingly, in complying with multiplesecurity standards, the redundancy manager 508 can facilitate avoidingenforcement of the same security policies more than once, even whereenforcing multiple security standards simultaneously.

The policy enforcement manager 504 further includes an enforcementmanager 510. In one or more embodiments, the enforcement manager 510implements a policy-driven approach to securing the computing device 502by performing operations to enforce any number of identified securitypolicies. For example, the enforcement manager 510 can performenforcement operations of scanning and fixing one or more configurationsettings to comply with configuration states defined by the identifiedsecurity policy. In one or more embodiments, the enforcement manager 510enforces the security policies by performing idempotent operations inwhich a scan and a fix of a configuration setting are the sameoperation.

As further shown in FIG. 5, the configuration management agent 108includes a compliance reporting manager 512 for generating and providingaudit reports including information associated with enforcing securitypolicies on the computing device 502. For example, the compliancereporting manager 512 includes a report generator 514 that generates anaudit report including an indication of one or more modifications toconfiguration settings made by the enforcement manager 510. In addition,the report generator 514 can generate a report including one or moreexemptions that apply to the computing device 502.

As described in one or more embodiments above, the report generator 514can generate an audit report for presentation via a graphical userinterface of the computing device 502. In addition, or as analternative, the report generator 514 can generate an audit reportincluding information about enforcing security policies and provide theaudit report to a cloud server or other computing device(s) (e.g.,server device(s) 102).

As further shown in FIG. 5, the compliance reporting manager 512includes a standard compliance manager 516 that determines a level ofcompliance with one or more security standards. For example, in one ormore embodiments, the standard compliance manager 516 accesses mappinginformation associating various security policies with correspondingsecurity standards and determines a level or extent to which thecomputing device 502 complies with one or more security standards. Inone or more embodiments, the standard compliance manager 516 provides anindication of a level of compliance with one or multiple securitystandards. In addition, the standard compliance manager 516 can providean indication of what additional security policies are applicable forcompleting compliance of the computing device 502 with a correspondingsecurity standard(s).

In one or more embodiments, the computing device 502 additionallyincludes data storage 518 including data for implementing apolicy-driven approach to securing the computing device. For example, asshown in FIG. 5, the data storage 518 includes policy data 520 includingany information that makes up a security policy. For example, policydata 520 may include a configuration state for an associatedconfiguration setting. In one or more embodiments, the policy data 520can include multiple configuration states that are in compliance with acorresponding security standard. In one or more embodiments, thecomputing device 502 accesses the policy data 520 from a server devicefor storage on the computing device 502.

The data storage 518 can further include standard data 522 including anyinformation associated with a security standard. For example, thestandard data 522 may include a list of checks and configuration statesassociated with complying with a specific security standard. Forexample, standard data 522 may include configuration states that wouldplace a computing device 502 in compliance with a security standard.Alternatively, standard data 522 can include an indication ofconfiguration states out of compliance with a corresponding securitystandard. In one or more embodiments, the computing device 502 receivesor otherwise accesses the standard data 522 from a third-party serverdevice, as discussed above in connection with FIG. 1.

In one or more embodiments, each of the components of the configurationmanagement agent 108 are in communication with one another using anysuitable communication technologies. Additionally, the components of theconfiguration management agent 108 can be in communication with one ormore other devices including the server device(s) 102 and thethird-party server device(s) 112 discussed above. It will be recognizedthat although the components of the configuration management agent 108are shown to be separate in FIG. 5, any of the subcomponents may becombined into fewer components, such as into a single component, ordivided into more components as may serve a particular embodiment.

Furthermore, although the components of FIG. 5 are described inconnection with a configuration management agent 108, at least some ofthe components for performing operations described herein may beimplemented on other devices within an environment (e.g., theenvironment 100 of FIG. 1).

The components of the configuration management agent 108 can includesoftware, hardware, or both. For example, the components of theconfiguration management agent 108 can include one or more instructionsstored on a computer-readable storage medium and be executable byprocessors of one or more computing devices. When executed by the one ormore processors, the computer-executable instructions of theconfiguration management agent 108 can cause the computing device 502 toperform the methods described herein. Alternatively, the components ofthe configuration management agent 108 can comprise hardware, such as aspecial-purpose processing device to perform a certain function or groupof functions. Additionally, or alternatively, the components of theconfiguration management agent 108 can include a combination ofcomputer-executable instructions and hardware.

Turning now to FIGS. 6-7, these figures illustrate flowcharts includingexample series of acts for implementing a policy-driven approach toenforce security policies on a computing device. While FIGS. 6-7illustrate acts according to one or more embodiments, alternativeembodiments may omit, add to, reorder, and/or modify any of the actsshown in FIGS. 6-7. The acts of FIGS. 6-7 can be performed as part of amethod. Alternatively, a non-transitory computer-readable storage mediumcan include instructions that, when executed by one or more processors,cause a computing device to perform the acts of FIGS. 6-7. In stillfurther embodiments, a system can perform the acts of FIGS. 6-7.

For example, as illustrated in FIG. 6, the series of acts 600 includesan act 610 of identifying a plurality of security policies includingconfiguration states corresponding to configuration settings for aclient device. For instance, in one or more embodiments, the act 610includes identifying a plurality of security policies, the plurality ofsecurity policies comprising a plurality of configuration statesassociated with configuration settings of the client device. In one ormore embodiments, the configuration settings of the client device referto one or more settings of an application or operating system on theclient device. In addition, in one or more embodiments, theconfiguration settings include settings that grant or restrict access tointended functionality of the application or operating system on theclient device.

In addition to identifying or generally accessing the security policies,in one or more embodiments, the series of acts 600 includes maintainingthe plurality of security policies (e.g., on a client device or serverdevice). For example, in one or more embodiments, the series of acts 600includes maintaining plurality of security policies including theplurality of configuration states associated with configuration settingsof the client device.

As further shown in FIG. 6, the series of acts 600 includes an act 620of receiving a request to implement the plurality of security policieson the client device. For example, in one or more embodiments, the act620 includes receiving a request to implement the plurality of securitypolicies on the client device.

As further shown in FIG. 6, the series of acts 600 includes an act 630of performing an idempotent enforcement operation to enforceconfiguration states defined by the security policies on the clientdevice. For example, in one or more embodiments, the act 630 includes,for a security policy from the plurality of security policies,performing an operation to enforce a configuration state for acorresponding configuration setting of the client device where theoperation to enforce the configuration state includes an idempotentoperation in which a check and a fix of a configuration setting tocomply with the configuration state are the same operation. In one ormore embodiments, performing the operation to enforce the configurationstate includes performing the operation by an agent on the clientdevice. In one or more embodiments, the agent includes a softwareapplication that maintains an active connection with a master agent on aserver device that maintains the plurality of security policies.

In one or more embodiments, performing the operation includes enforcinga configuration setting to comply with the configuration state definedby the security policy regardless of a current state of theconfiguration setting prior to receiving the request to implement theplurality of security policies on the client device. In one or moreembodiments, if the current state of the configuration setting complieswith the configuration state defined by the security policy, thenperforming the operation to enforce the configuration setting tocorrespond to the configuration state has no effect on the current stateof the configuration setting. Alternatively, if the current state of theconfiguration setting does not comply with the configuration statedefined by the security policy, then performing the operation to enforcethe configuration setting to correspond to the configuration statecomprises modifying the current state of the configuration setting tocomply with the configuration state defined by the security policy.

In one or more embodiments, the series of acts 600 includes performingmultiple operations to enforce configuration states defined bycorresponding security policies from the plurality of security policies.In one or more embodiments, performing the multiple operations includesscanning a plurality of configuration settings and remediating one ormore configuration settings of the plurality of configuration settingsin response to a single user input indicating the request to implementthe plurality of security policies on the client device. Further, in oneor more embodiments, performing the multiple operations includesperforming acts of scanning the plurality of configuration settings andremediating the one or more configuration settings by a single softwareagent.

In one or more embodiments, the series of acts 600 includes identifyingan exemption that applies to the client device for a given securitypolicy. In addition, performing the operation to enforce a configurationstate for a configuration setting defined by the given security policymay include bypassing the given security policy while enforcing one ormore additional security policies from the plurality of securitypolicies.

In one or more embodiments, the series of acts further includesgenerating an audit report for the request to implement the plurality ofsecurity policies on the client device. The audit report may include anindication of one or more actions taken by an agent on the client devicebased on differences between one or more current states of configurationsettings on the client device and one or more configuration statesdefined by the plurality of security policies.

FIG. 7 illustrates another series of acts for implementing apolicy-driven approach to enforcing security policies on a computingdevice. For example, as illustrated in FIG. 7, the series of acts 700includes maintaining a plurality of security policies includingconfiguration states associated with configuration settings. Forexample, in one or more embodiments, the act 710 includes maintaining aplurality of security policies that include a plurality of configurationstates associated with configuration settings of a client device inaddition to mapping information associating the plurality of securitypolicies to a plurality of security standards. In one or moreembodiments, the configuration settings of the client device refer toone or more settings of an application or operating system on the clientdevice that grant or restrict access to one or more intendedfunctionalities of the application or operating system.

As shown in FIG. 7, the series of acts 700 further includes an act 720of receiving a request to enforce a security standard. For example, inone or more embodiments, the act 720 includes receiving a request toenforce a first security standard from the plurality of securitystandards. The security standards may include two or more of Center forInternet Security (CIS) standards, Standard Technical ImplementationGuide (STIG) standards, Payment Card Industry (PCI) standards, andHealth Insurance Portability and Accountability Act (HIPAA) standards.

As further shown in FIG. 7, the series of acts 700 includes an act 730of identifying a subset of the plurality of security policies havingmapping information associated with the security standard forenforcement on a client device. For example, in one or more embodiments,the act 730 includes identify a subset of security policies from theplurality of security policies having mapping information associatedwith the first security standard for enforcement on the client device.In one or more embodiments, the series of acts 700 includes generatingthe mapping information for the plurality of security policies bymapping the plurality of configuration states associated withconfiguration settings of the client device to respective securitystandards from the plurality of security standards.

As further shown in FIG. 7, the series of acts 700 includes an act 740of enforcing configuration states defined by the subset of the pluralityof security policies on the client device. For example, in one or moreembodiments, the act 740 includes performing (e.g., causing a clientdevice to perform) an operation to enforce a configuration state for acorresponding configuration setting defined by a security policy fromthe identified subset of security policies. In one or more embodiments,the operation to enforce the configuration state includes an idempotentoperation in which a check and a fix of the security policy are the sameoperation. In addition, in one or more embodiments, performing theidempotent operation includes enforcing a configuration setting tocorrespond to the configuration state defined by the security policyregardless of a current state of the configuration setting prior toreceiving the request to implement the plurality of security policies onthe client device.

In one or more embodiments, the series of acts 700 further includesreceiving a report including information associated with enforcing thesubset of security policies on the client device. The series of acts 700can further include generating a compliance report indicating a measureof compliance with the first security standard. In one or moreembodiments, generating the compliance report includes identifying asecond subset of security policies having mapping information associatedwith a second security standard. Generating the compliance report canfurther include, based on overlap between mapping information for thesubset of security policies and the mapping information associated withthe second security standard, providing, within the compliance report,an indication of a second measure of compliance with the second securitystandard.

In one or more embodiments, the series of acts 700 further includeproviding an option to request enforcement of the second securitystandard. The series of acts 700 can also include receiving a request toenforce the second security standard indicated in the compliance reportand identifying a second subset of security policies from the pluralityof security policies having mapping information associated with thesecond security standard for enforcement on the client device. Enforcingthe first security standard may involve causing the client device toperform one or more operations to enforce one or more configurationstates for one or more corresponding configuration settings defined bythe second subset of security policies. In one or more embodiments,enforcing the second security standard includes bypassing enforcement ofthe one or more security policies in common between the subset ofsecurity policies and the second subset of security policies based on adetermination that the one or more configuration states are already incompliance with the one or more security policies when the subset ofsecurity policies were enforced in response to receiving the request toenforce the first security standard.

Embodiments of the present disclosure may comprise or utilize aspecial-purpose or general-purpose computer including computer hardware,such as, for example, one or more processors and system memory, asdiscussed in greater detail below. Embodiments within the scope of thepresent disclosure also include physical and other computer-readablemedia for carrying or storing computer-executable instructions and/ordata structures. In particular, one or more of the processes describedherein may be implemented at least in part as instructions embodied in anon-transitory computer-readable storage medium and executable by one ormore computing devices (e.g., any of the media content access devicesdescribed herein). In general, a processor (e.g., a microprocessor)receives instructions from a non-transitory computer-readable storagemedium (e.g., memory) and executes those instructions, therebyperforming one or more processes, including one or more of the processesdescribed herein.

Computer-readable media can be any available media that can be accessedby a general-purpose or special-purpose computer system.Computer-readable media that store computer-executable instructions arenon-transitory computer-readable storage media (devices).Computer-readable media that carry computer-executable instructions aretransmission media. Thus, by way of example, and not limitation,embodiments of the disclosure can comprise at least two distinctlydifferent kinds of computer-readable media: non-transitorycomputer-readable storage media (devices) and transmission media.

Non-transitory computer-readable storage media (devices) include randomaccess memory (RAM), read-only memory (ROM), electrically erasableprogrammable read-only memory (EEPROM), CD-ROM, solid state drives(“SSDs”) (e.g., based on RAM), Flash memory, phase-change memory(“PCM”), other types of memory, other optical disk storage, magneticdisk storage or other magnetic storage devices, or any other mediumwhich can be used to store desired program code means in the form ofcomputer-executable instructions or data structures and which can beaccessed by a general-purpose or special-purpose computer.

A “network” is defined as one or more data links that enable thetransport of electronic data between computer systems and/or modulesand/or other electronic devices. When information is transferred orprovided over a network or another communications connection (eitherhardwired, wireless, or a combination of hardwired or wireless) to acomputer, the computer properly views the connection as a transmissionmedium. Transmission media can include a network and/or data links whichcan be used to carry desired program code means in the form ofcomputer-executable instructions or data structures and which can beaccessed by a general-purpose or special-purpose computer. Combinationsof the above should also be included within the scope ofcomputer-readable media.

Further, upon reaching various computer system components, program codemeans in the form of computer-executable instructions or data structurescan be transferred automatically from transmission media tonon-transitory computer-readable storage media (devices) (or viceversa). For example, computer-executable instructions or data structuresreceived over a network or data link can be buffered in RAM within anetwork interface module (e.g., a “NIC”), and then eventuallytransferred to computer system RAM and/or to less volatile computerstorage media (devices) at a computer system. Thus, it should beunderstood that non-transitory computer-readable storage media (devices)can be included in computer system components that also (or evenprimarily) utilize transmission media.

Computer-executable instructions comprise, for example, instructions anddata which, when executed by a processor, cause a general-purposecomputer, special-purpose computer, or special-purpose processing deviceto perform a certain function or group of functions. In someembodiments, computer-executable instructions are executed by ageneral-purpose computer to turn the general-purpose computer into aspecial-purpose computer implementing elements of the disclosure. Thecomputer-executable instructions may be, for example, binaries,intermediate format instructions such as assembly language, or evensource code. Although the subject matter has been described in languagespecific to structural features and/or methodological acts, it is to beunderstood that the subject matter defined in the appended claims is notnecessarily limited to the described features or acts described above.Rather, the described features and acts are disclosed as example formsof implementing the claims.

Those skilled in the art will appreciate that the disclosure may bepracticed in network computing environments with many types of computersystem configurations, including personal computers, desktop computers,laptop computers, message processors, hand-held devices, multi-processorsystems, microprocessor-based or programmable consumer electronics,network PCs, minicomputers, mainframe computers, mobile telephones,PDAs, tablets, pagers, routers, switches, and the like. The disclosuremay also be practiced in distributed system environments where local andremote computer systems, which are linked (either by hardwired datalinks, wireless data links, or by a combination of hardwired andwireless data links) through a network, both perform tasks. In adistributed system environment, program modules may be located in bothlocal and remote memory storage devices.

Embodiments of the present disclosure can also be implemented in cloudcomputing environments. As used herein, the term “cloud computing”refers to a model for enabling on-demand network access to a shared poolof configurable computing resources. For example, cloud computing can beemployed in the marketplace to offer ubiquitous and convenient on-demandaccess to the shared pool of configurable computing resources. Theshared pool of configurable computing resources can be rapidlyprovisioned via virtualization and released with low management effortor service provider interaction, and then scaled accordingly.

A cloud-computing model can be composed of various characteristics suchas, for example, on-demand self-service, broad network access, resourcepooling, rapid elasticity, measured service, and so forth. Acloud-computing model can also expose various service models, such as,for example, Software as a Service (“SaaS”), Platform as a Service(“PaaS”), and Infrastructure as a Service (“IaaS”). A cloud-computingmodel can also be deployed using different deployment models such asprivate cloud, community cloud, public cloud, hybrid cloud, and soforth. In addition, as used herein, the term “cloud-computingenvironment” refers to an environment in which cloud computing isemployed.

FIG. 8 illustrates a block diagram of an example computing device 800that may be configured to perform one or more of the processes describedabove. One will appreciate that one or more computing devices, such asthe computing device 800, may represent the computing devices describedabove in connection with one or more embodiments (e.g., client devicesand/or server devices). In one or more embodiments, the computing device800 may be a mobile device (e.g., a mobile telephone, a smartphone, aPDA, a tablet, a laptop, a camera, a tracker, a watch, a wearabledevice, etc.). In some embodiments, the computing device 800 may be anon-mobile device (e.g., a desktop computer or another type of clientdevice). Further, the computing device 800 may be a server device thatincludes cloud-based processing and storage capabilities.

As shown in FIG. 8, the computing device 800 can include one or moreprocessor(s) 802, memory 804, a storage device 806, input/outputinterfaces 808 (or “I/O interfaces 808”), and a communication interface810, which may be communicatively coupled by way of a communicationinfrastructure (e.g., bus 812). While the computing device 800 is shownin FIG. 8, the components illustrated in FIG. 8 are not intended to belimiting. Additional or alternative components may be used in otherembodiments. Furthermore, in certain embodiments, the computing device800 includes fewer components than those shown in FIG. 8. Components ofthe computing device 800 shown in FIG. 8 will now be described inadditional detail.

In particular embodiments, the processor(s) 802 includes hardware forexecuting instructions, such as those making up a computer program. Asan example, and not by way of limitation, to execute instructions, theprocessor(s) 802 may retrieve (or fetch) the instructions from aninternal register, an internal cache, memory 804, or a storage device806 and decode and execute them.

The computing device 800 includes memory 804, which is coupled to theprocessor(s) 802. The memory 804 may be used for storing data, metadata,and programs for execution by the processor(s). The memory 804 mayinclude one or more of volatile and non-volatile memories, such asrandom-access memory (“RAM”), read-only memory (“ROM”), a solid-statedisk (“SSD”), Flash, phase change memory (“PCM”), or other types of datastorage. The memory 804 may be internal or distributed memory.

The computing device 800 includes a storage device 806 that includesstorage for storing data or instructions. As an example, and not by wayof limitation, the storage device 806 can include a non-transitorystorage medium described above. The storage device 806 may include ahard disk drive (HDD), flash memory, a Universal Serial Bus (USB) driveor a combination of these or other storage devices.

As shown, the computing device 800 includes one or more I/O interfaces808, which are provided to allow a user to provide input to (such asuser strokes), receive output from, and otherwise transfer data to andfrom, the computing device 800. These I/O interfaces 808 may include amouse, a keypad or a keyboard, a touchscreen, a camera, an opticalscanner, a network interface, a modem, other known I/O devices, or acombination of such I/O interfaces 808. The touchscreen may be activatedwith a stylus or a finger.

The I/O interfaces 808 may include one or more devices for presentingoutput to a user, including, but not limited to, a graphics engine, adisplay (e.g., a display screen), one or more output drivers (e.g.,display drivers), one or more audio speakers, and one or more audiodrivers. In certain embodiments, I/O interfaces 808 are configured toprovide graphical data to a display for presentation to a user. Thegraphical data may be representative of one or more graphical userinterfaces and/or any other graphical content as may serve a particularimplementation.

The computing device 800 can further include a communication interface810. The communication interface 810 can include hardware, software, orboth. The communication interface 810 provides one or more interfacesfor communication (such as, for example, packet-based communication)between the computing device and one or more other computing devices orone or more networks. As an example, and not by way of limitation,communication interface 810 may include a network interface controller(NIC) or network adapter for communicating with an Ethernet or otherwire-based network or a wireless NIC (WNIC) or wireless adapter forcommunicating with a wireless network, such as a WI-FI network. Thecomputing device 800 can further include a bus 812. The bus 812 caninclude hardware, software, or both, that connects components ofcomputing device 800 to each other.

FIG. 9 illustrates an example network environment 900 in accordance withone or more embodiments described herein. Network environment 900includes a client device 906 and a server device 902 connected to eachother by a network 904. Although FIG. 9 illustrates a particulararrangement of client device 906, server device 902, and network 904,this disclosure contemplates any suitable arrangement of client device906, server device 902, and network 904. As an example and not by way oflimitation, two or more of client devices 906 and server device 902 maybe connected to each other directly, bypassing network 904. As anotherexample, two or more of client device 906 and server device 902 may bephysically or logically co-located with each other in whole or in part.Moreover, although FIG. 9 illustrates a particular number of clientdevices 906, server device(s) 902, and networks 904, this disclosurecontemplates any suitable number of client devices 906, server device(s)902, and networks 904. As an example and not by way of limitation,network environment 900 may include multiple client devices 906, serverdevice(s) 902, and networks 904.

This disclosure contemplates any suitable network 904. As an example andnot by way of limitation, one or more portions of network 904 mayinclude an ad hoc network, an intranet, an extranet, a virtual privatenetwork (VPN), a local area network (LAN), a wireless LAN (WLAN), a widearea network (WAN), a wireless WAN (WWAN), a metropolitan area network(MAN), a portion of the Internet, a portion of the Public SwitchedTelephone Network (PSTN), a cellular telephone network, or a combinationof two or more of these. Network 904 may include one or more networks904.

Links may connect client device 906 and server device 902 tocommunication network 904 or to each other. This disclosure contemplatesany suitable links. In particular embodiments, one or more links includeone or more wireline (such as, for example, Digital Subscriber Line(DSL) or Data Over Cable Service Interface Specification (DOCSIS)),wireless (such as, for example, Wi-Fi or Worldwide Interoperability forMicrowave Access (WiMAX)), or optical (such as, for example, SynchronousOptical Network (SONET) or Synchronous Digital Hierarchy (SDH)) links.In particular embodiments, one or more links each include an ad hocnetwork, an intranet, an extranet, a VPN, a LAN, a WLAN, a WAN, a WWAN,a MAN, a portion of the Internet, a portion of the PSTN, a cellulartechnology-based network, a satellite communications technology-basednetwork, another link, or a combination of two or more such links. Linksneed not necessarily be the same throughout network environment 900. Oneor more first links may differ in one or more respects from one or moresecond links.

In particular embodiments, client device 906 may be an electronic deviceincluding hardware, software, or embedded logic components or acombination of two or more such components and capable of carrying outthe appropriate functionalities implemented or supported by clientdevice 906. As an example and not by way of limitation, a client device906 may include any of the computing devices discussed above in relationto one or more embodiments described herein. A client device 906 mayenable a network user at client device 906 to access network 904. Aclient device 906 may enable its user to communicate with other users atother client systems.

In particular embodiments, client device 906 may include a web browser,such as MICROSOFT INTERNET EXPLORER, GOOGLE CHROME, or MOZILLA FIREFOX,and may have one or more add-ons, plug-ins, or other extensions, such asTOOLBAR or YAHOO TOOLBAR. A user at client device 906 may enter aUniform Resource Locator (URL) or other address directing the webbrowser to a particular server (such as a server, or a server associatedwith a third-party system), and the web browser may generate a HyperText Transfer Protocol (HTTP) request and communicate the HTTP requestto the server. The server may accept the HTTP request and communicate toclient device 906 one or more Hyper Text Markup Language (HTML) filesresponsive to the HTTP request. Client device 906 may render a webpagebased on the HTML files from the server for presentation to the user.This disclosure contemplates any suitable webpage files. As an exampleand not by way of limitation, webpages may render from HTML files,Extensible Hyper Text Markup Language (XHTML) files, or ExtensibleMarkup Language (XML) files, according to particular needs. Such pagesmay also execute scripts such as, for example, and without limitation,those written in JAVASCRIPT, JAVA, MICROSOFT SILVERLIGHT, combinationsof markup languages and scripts such as AJAX (Asynchronous JAVASCRIPTand XML), and the like. Herein, reference to a webpage encompasses oneor more corresponding webpage files (which a browser may use to renderthe webpage) and vice versa, where appropriate.

In particular embodiments, server device 902 may include a variety ofservers, sub-systems, programs, modules, logs, and data stores. Inparticular embodiments, server device 902 may include one or more of thefollowing: a web server, action logger, API-request server,relevance-and-ranking engine, content-object classifier, notificationcontroller, action log, third-party-content-object-exposure log,inference module, authorization/privacy server, search module,advertisement-targeting module, user-interface module, user-profilestore, connection store, third-party content store, or location store.Server device 902 may also include suitable components such as networkinterfaces, security mechanisms, load balancers, failover servers,management-and-network-operations consoles, other suitable components,or any suitable combination thereof.

In the foregoing specification, the invention has been described withreference to specific example embodiments thereof. Various embodimentsand aspects of the invention(s) are described with reference to detailsdiscussed herein, and the accompanying drawings illustrate the variousembodiments. The description above and drawings are illustrative of theinvention and are not to be construed as limiting the invention.Numerous specific details are described to provide a thoroughunderstanding of various embodiments of the present invention.

The present invention may be embodied in other specific forms withoutdeparting from its spirit or essential characteristics. The describedembodiments are to be considered in all respects only as illustrativeand not restrictive. For example, the methods described herein may beperformed with fewer or more steps/acts or the steps/acts may beperformed in differing orders. Additionally, the steps/acts describedherein may be repeated or performed in parallel to one another or inparallel to different instances of the same or similar steps/acts. Thescope of the invention is, therefore, indicated by the appended claimsrather than by the foregoing description. All changes that come withinthe meaning and range of equivalency of the claims are to be embracedwithin their scope.

What is claimed is:
 1. An apparatus comprising: at least one memory;instructions in the apparatus; and processor circuitry to execute theinstructions to: enforce a first security policy of a first securitystandard; audit for a first compliance level with the first securitystandard; audit for a second compliance level with a second securitystandard; determine an overlap between the first security standard andthe second security standard, the overlap associated with a secondsecurity policy; enforce the second security standard; and determine anupdate of the first compliance level based on the overlap.
 2. Theapparatus of claim 1, wherein the processor circuitry is to execute theinstructions to enforce at least one of the first security policy or thesecond security policy with an idempotent operation in which a check anda fix of the security policy are the same operation.
 3. The apparatus ofclaim 1, wherein the processor circuitry is to execute the instructionsto: determine whether an exemption applies to at least one of the firstor second security policies and in response to a determination that theexemption applies to the at least one of the first or second securitypolicies, bypass enforcement of the at least one of the first or secondsecurity policies.
 4. The apparatus of claim 1, wherein the processorcircuitry is to execute the instructions to generate a compliance reportindicating a measure of compliance with at least one of the firstsecurity standard or the second security standard.
 5. The apparatus ofclaim 1, wherein the processor circuitry is to execute the instructionsto generate mapping information associating a plurality of securitypolicies to a plurality of security standards.
 6. The apparatus of claim5, wherein the mapping information includes information indicating theoverlap between the first security standard and the second securitystandard.
 7. The apparatus of claim 1, wherein compliance with asecurity standard includes configuration settings of an application oroperating system on a client device.
 8. The apparatus of claim 1,wherein the processor circuitry is to determine the update of the firstcompliance level based on the overlap before performing an additionalaudit of the first compliance level.
 9. A non-transitory computerreadable storage medium comprising instructions which, when executed,cause processor circuitry to at least: enforce a first security policyof a first security standard; audit for a first compliance level withthe first security standard; audit for a second compliance level with asecond security standard; determine an overlap between the firstsecurity standard and the second security standard, the overlapassociated with a second security policy; enforce the second securitystandard; and determine an update of the first compliance level based onthe overlap.
 10. The non-transitory computer readable storage medium ofclaim 9, wherein the instructions, when executed, cause the processorcircuitry to enforce at least one of the first security policy or thesecond security policy with an idempotent operation in which a check anda fix of the security policy are the same operation.
 11. Thenon-transitory computer readable storage medium of claim 9, wherein theinstructions, when executed, cause the processor circuitry to: determinewhether an exemption applies to at least one of the first or secondsecurity policies; and in response to a determination that the exemptionapplies to the at least one of the first or second security policies,bypass enforcement of the at least one of the first or second securitypolicies.
 12. The non-transitory computer readable storage medium ofclaim 9, wherein the instructions, when executed, cause the processorcircuitry to generate a compliance report indicating a measure ofcompliance with at least one of the first security standard or thesecond security standard.
 13. The non-transitory computer readablestorage medium of claim 9, wherein the instructions, when executed,cause the processor circuitry to generate mapping informationassociating a plurality of security policies to a plurality of securitystandards.
 14. The non-transitory computer readable storage medium ofclaim 13, wherein the mapping information includes informationindicating the overlap between the first security standard and thesecond security standard.
 15. The non-transitory computer readablestorage medium of claim 9, wherein compliance with a security standardincludes configuration settings of an application or operating system ona client device.
 16. The non-transitory computer readable storage mediumof claim 9, wherein the instructions, when executed, cause the processorcircuitry to determine the update of the first compliance level based onthe overlap before performing an additional audit of the firstcompliance level.
 17. A method comprising: enforcing, by executing aninstruction with a processor, a first security policy of a firstsecurity standard; auditing, by executing an instruction with theprocessor, for a first compliance level with the first securitystandard; auditing, by executing an instruction with the processor, fora second compliance level with a second security standard; determining,by executing an instruction with the processor, an overlap between thefirst security standard and the second security standard, the overlapassociated with a second security policy; enforcing, by executing aninstruction with the processor, the second security standard; anddetermining, by executing an instruction with the processor, an updateof the first compliance level based on the overlap.
 18. The method ofclaim 17, further including enforcing at least one of the first securitypolicy or the second security policy with an idempotent operation inwhich a check and a fix of the security policy are the same operation.19. The method of claim 17, further including: determining whether anexemption applies to at least one of the first or second securitypolicies; and in response to determining that the exemption applies tothe at least one of the first or second security policies, bypassingenforcement of the at least one of the first or second securitypolicies.
 20. The method of claim 17, further including generating acompliance report indicating a measure of compliance with at least oneof the first security standard or the second security standard.
 21. Themethod of claim 17, further including generating mapping informationassociating a plurality of security policies to a plurality of securitystandards.
 22. The method of claim 21, wherein the mapping informationincludes information indicating the overlap between the first securitystandard and the second security standard.
 23. The method of claim 17,wherein compliance with a security standard includes configurationsettings of an application or operating system on a client device. 24.The method of claim 17, further including determining the update of thefirst compliance level based on the overlap before performing anadditional audit of the first compliance level.